Professional Documents
Culture Documents
NIST SP 800-171 Assessment Methodology Version 1.2.1 6.24.2020
NIST SP 800-171 Assessment Methodology Version 1.2.1 6.24.2020
Table of Contents
1) Background
2) Purpose
4) Levels of Assessment
7) Glossary of Terms
Annex B - Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment Results Format
1
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
1) Background
a) Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident Reporting, requires
contractors and subcontractors to provide ‘adequate security’ to safeguard covered
defense information, hereto referred to, for the purposes of this methodology, as
Department of Defense (DoD) controlled unclassified information (CUI) 1, when
residing on or transiting through a contractor’s/subcontractor’s internal information
system or network, and to report cyber incidents that affect that system or network to
DoD. DFARS clause 252.204-7012 further states that to provide adequate security, the
Contractor shall implement, at a minimum, the security requirements in National
Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,
Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and
Organizations. Contractors are also required to flow down DFARS Clause 252.204-
7012 to all subcontracts for operationally critical support, or for which subcontract
performance will involve DoD CUI. Contractors must mark or otherwise identify, in
accordance with direction contained within the specific contract, DoD CUI that is
collected, developed, received, transmitted, used, or stored by or on behalf of the
contractor in support of performance of the contract.
b) DFARS provision 252.204-7008, Compliance with Safeguarding Covered Defense
Information Controls, requires, among other things, offerors to represent they will
implement the security requirements in NIST SP 800-171 in effect at the time the
solicitation is issued or as authorized by the contracting officer. To document
implementation of NIST SP 800-171, the contractor must develop, document, and
periodically update a system security plan that describes system boundaries, system
environments of operation, how security requirements are implemented, and the
relationships with or connections to other systems. If implementation of the security
requirements is not complete, companies must develop and implement plans of
action to describe when and how any unimplemented security requirements will be
met.
c) Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S)) memorandum,
“Strategically Implementing Cybersecurity Contract Clauses,” dated February 5, 2019,
directed the Defense Contract Management Agency (DCMA) to pursue, with
companies for which they administer contracts, the application of a standard
methodology and approach to assess a contractor’s implementation of NIST SP 800-
171 at a strategic (corporate-wide) level as an alternative to the requirement for
1
DoD is transitioning from the use of the term ‘covered defense information’ in the DFARS to “DOD Controlled
Unclassified Information (CUI), consistent with DoDI 5200.48, Controlled Unclassified Information (CUI)”
2
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
2) Purpose
a) The NIST SP 800-171 DoD Assessment Methodology, Version 1.2 documents a standard
methodology that enables a strategic assessment of a contractor’s implementation of
NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.
b) This methodology is used for assessment purposes only and does not, and is not
intended to, add any substantive requirements to either NIST SP 800-171 or DFARS
clause 252.204-7012.
c) DoD will use this methodology to assess the implementation of NIST SP 800-171 by its
prime contractors. Prime contractors may use this methodology to assess the
implementation status of NIST SP 800-171 by subcontractors.
d) This methodology informed the conduct of pilot NIST SP 800-171 DoD Assessments
performed by DCMA, in partnership with the Defense Counterintelligence and Security
Agency (DCSA) and the DoD Components, during 2019. DoD will update and codify
this methodology in policy/regulation.
4) Levels of Assessment
a) Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment
i) The Basic Assessment is the Contractor’s self- assessment of NIST SP 800-171
implementation status, based on a review of the system security plan(s) associated
with covered contractor information system(s), and conducted in accordance with
3
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
2
A virtual High Assessment was developed in response to the COVID-19 epidemic to allow protections of assessors
and DIB personal to limit travel and exposure of staffs whilst still being able to assess contractor risk. The
government may utilize this methodology in the future as required in response to similar or other scenarios.
4
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
c) While NIST SP 800-171 does not prioritize security requirements, certain requirements
have more impact on the security of the network and its data than others. This scoring
methodology incorporates this concept by weighting each security requirement based
on the impact to the information system and the DoD CUI created on or transiting
through that system, when that requirement is not implemented.
d) Weighted requirements include all of the fundamental NIST SP 800-171 ‘Basic Security
Requirements’ - high-level requirements which, if not implemented, render ineffective
the more numerous ‘Derived Security Requirements’; and a subset of the ‘Derived
Security Requirements’- requirements that supplement the Basic Security
Requirements - which, if not implemented, would allow for exploitation of the
network and its information.
i) For security requirements that, if not implemented, could lead to significant
exploitation of the network, or exfiltration of DoD CUI, 5 points are subtracted
from the score of 110. For example, failure to limit system access to authorized
users (Basic Security Requirement 3.1.1) renders all the other Access Control
requirements ineffective, allowing easy exploitation of the network; failure to
control the use of removable media on system components (Derived Security
Requirement 3.8.7) could result in massive exfiltration of CUI and introduction of
malware.
(1) Basic Security Requirements with a value of 5 points include 3.1.1, 3.1.2,
3.2.1, 3.2.2, 3.3.1, 3.4.1, 3.4.2, 3.5.1, 3.5.2, 3.6.1, 3.6.2, 3.7.2, 3.8.3, 3.9.2,
3.10.1, 3.10.2, 3.12.1, 3.12.3, 3.13.1, 3.13.2, 3.14.1, 3.14.2, and 3.14.3.
(2) Derived Security Requirements with a value of 5 points include 3.1.12,
3.1.13, 3.1.16, 3.1.17, 3.1.18, 3.3.5, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.10, 3.7.5,
3.8.7, 3.11.2, 3.13.5, 3.13.6, 3.13.15, 3.14.4, and 3.14.6.
ii) For Basic and Derived Security Requirements that, if not implemented, have a
specific and confined effect on the security of the network and its data, 3 points
are subtracted from the score of 110. For example, failure to limit access to CUI
on system media to authorized users (Security Requirement 3.8.2) or failure to
encrypt CUI stored on a mobile device (Security Requirement 3.1.19), put the CUI
stored on the system media or mobile device at risk, but not the CUI stored on
the network itself.
(1) Basic Security Requirements with a value of 3 points include 3.3.2, 3.7.1,
3.8.1, 3.8.2, 3.9.1, 3.11.1, and 3.12.2.
(2) Derived Security Requirements with a value of 3 points include 3.1.5,
3.1.19, 3.7.4, 3.8.8, 3.13.8, 3.14.5, and 3.14.7.
iii) All remaining Derived Security Requirements, if not implemented, have a limited
or indirect effect on the security of the network and its data. For these, 1 point
6
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
is subtracted from the score of 110. For example, failing to prevent reuse of
identifiers for a defined period (Security Requirement 3.5.5) could allow a user
access to CUI to which they were not approved.
e) Two Derived Security Requirements can be partially effective even if not completely or
properly implemented, and the points deducted should be adjusted depending on
how the security requirement is implemented.
i) Multi-factor authentication (MFA) (Security Requirement 3.5.3) is typically
implemented first for remote and privileged users (since these users are both
limited in number and more critical) and then for the general user, so 3 points
are subtracted from the score of 110 if MFA is implemented only for remote and
privileged users; 5 points are subtracted from the score of 110 if MFA is not
implemented for any users.
ii) FIPS validated encryption (Security Requirement 3.13.11) is required to protect
the confidentiality of CUI. If encryption is employed, but is not FIPS validated, 3
points are subtracted from the score of 110; if encryption is not employed, 5
points are subtracted from the score of 110.
f) Although not common, future revisions of NIST SP 800-171 may add, delete or
substantively revise security requirements. When this occurs, a value will be assigned
to any new or modified requirements in accordance with this scoring methodology.
g) The contractor must have a system security plan (Basic Security Requirement 3.12.4)
in place to describe each covered contractor information system, and a plan of action
(Basic Security Requirement 3.12.2) in place for each unimplemented security
requirement to describe how and when the security requirement will be met.
i) Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the
review of a system security plan describing how the security requirements are
met, it is not possible to conduct the assessment if the information is not
available. The absence of a system security plan would result in a finding that
‘an assessment could not be completed due to incomplete information and
noncompliance with DFARS clause 252.204-7012.’
ii) Plans of action addressing unimplemented security requirements are not a
substitute for a completed requirement. Security requirements not
implemented, whether a plan of action is in place or not, will be assessed as ‘not
implemented.’ For example, if the initial roll-out of 3.5.3, multifactor
authentication, is only 75% complete, and there is a plan of action still being
implemented, 3.5.3 will be considered ‘not implemented’, as the requirement
has not been fully implemented.
iii) A lack of plan of action for unimplemented security requirements will result in
Security Requirement 3.12.2 being assessed as ‘not implemented.’
7
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
h) Temporary deficiencies and/or isolated enduring exceptions which occur during initial
implementation, or arise after implementation, are to be expected in most complex
environments.
i) Temporary deficiencies that are appropriately addressed in plans of action (i.e.,
include deficiency reviews, milestones, and show progress towards the
implementation of corrections to reduce or eliminate identified vulnerabilities)
should be assessed as ‘implemented.’ For example, when a plan of action
addresses a ‘temporary deficiency’ that arises after implementation (e.g.,
3.13.11, employ FIPS validated cryptography, had been implemented, but
subsequently a patch invalidated the FIPS validation of a particular cryptographic
module), the requirement will be scored ‘as implemented.’ A ‘temporary
deficiency’ may also arise during initial implementation of a NIST SP 800-171
requirement if, during roll-out, specific issues with certain equipment is
discovered that has to be separately addressed (e.g., certain specific hardware or
software unexpectedly needs to be changed for the requirement to be
successfully applied). If the implementation roll-out has otherwise been
completed, this ‘temporary deficiency’ plan of action would be considered, and
the requirement scored ‘as implemented.’ There is no standard duration for
which a ‘temporary deficiency’ may be active. It is what is reasonable, which
would take into consideration the availability of the solution, the cost and time
to implement, the overall risk and whether any mitigations are applied in the
interim. Generally, deficiencies should be resolved as soon as is reasonably
possible.
ii) Isolated enduring exceptions encountered during implementation, such as
unique equipment or environments (e.g., specialized manufacturing equipment
or a unique laboratory environment) may prevent the implementation of certain
security requirements. Isolated enduring exceptions are typically not suitable to
address in plans of action, but when described, along with any mitigations, in the
system security plan such exceptions should be assessed as ‘implemented.’
i) For certain requirements, questions often arise on whether or not they are actually
implemented. These situations are addressed below:
i) Security Requirements 3.1.12, 3.1.16, 3.1.18: Companies commonly do not
allow remote access, wireless access or connection of mobile devices and may
indicate these requirements as ‘Not Applicable’ or ‘Not Implemented’ in the
system security plan. The evaluator should not deduct points in such cases.
However, if the company disallows use of remote, wireless, or mobile access,
they should also have a policy and procedure in place to insure these capabilities
are not enabled inadvertently. This should be discussed as part of the Medium-
8
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
Level assessment, and if such policy and procedures are not in place a point
should be assessed.
ii) Security Requirement 3.13.8: When implementing this requirement, encryption,
though preferred, is not required if using common-carrier provided
Multiprotocol Label Switching (MPLS), as the MPLS separation provides sufficient
protection without encryption.
iii) Security Requirement 3.13.11: Cryptography used to protect the confidentiality
of CUI must be FIPS-validated, which means the cryptographic module has to
have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply
using an approved algorithm (e.g., FIPS 197 for AES) is not sufficient - the module
(software and/or hardware) used to implement the algorithm must be
separately validated under FIPS 140. Note however, that this is required when
encryption is required for protection, which is typically external to the
contractor's covered information system (assuming the system meets NIST SP
800-171). Cryptography used for other purposes within the protected
information system need not be FIPS validated. When required, if encryption is
not employed (FIPS validated or otherwise), 5 points are subtracted from the
score of 110. If encryption is employed, but is not FIPS validated, 3 points are
subtracted from the score of 110. Isolated use of non-FIPS validated
cryptography, with an associated Plan of Action, should be treated as a
temporary deficiency and assessed as ‘implemented.’
j) If a contractor received a favorable adjudication from the DoD CIO indicating that a
requirement is not applicable or that an alternative security measure is equally
effective in accordance with DFARS 252.204-7008 or 7012, the DoD CIO assessment
should be included in the Contractor’s system security plan. Implemented security
measures adjudicated by the DoD CIO as equally effective, and security requirements
approved by the DoD CIO as ‘not applicable,’ will be assessed as ‘implemented.’ Once
DOD CIO assessments approving “not applicable” requirements or “alternative
security measures” are included in the Contractor's system security plan, the
contractor does not need to submit that documentation for every current contract
with the DFARS 252.204-7012 clause unless specifically requested to do so by the
contracting officer. When completing the Basic (Contractor Self-Assessment) NIST SP
800-171 DoD Assessment Results Format, the contractor shall score any security
requirements for which an assessment of “not applicable” or “alternative security
measures” was previously approved by DoD CIO as ‘implemented’.
k) A template illustrating the application of this scoring methodology is provided at
Annex A of this document.
l) DoD will provide medium and high assessment results to the Contractor and offer the
opportunity for rebuttal and adjudication of assessment results. Upon completion of
9
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
each assessment, the assessed contractor has 14 business days to provide additional
information to the assessment team, to demonstrate that they meet any security
requirements not observed by the assessment team or to rebut the findings that may
be of question.
10
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
system security plan(s) if the contractor has more than one system security plan
and CAGE code. Additionally, a brief description of the system security plan
architecture may be required if more than one plan exists.
iv) Date and level of the assessment, i.e., basic, medium, or high.
v) Summary level score (e.g., 105 out of 110), but not the individual value assigned
for each requirement.
vi) Date a score of 110 is expected to be achieved (i.e., all requirements
implemented) based on information gathered from associated plan(s) of action
developed in accordance with NIST SP 800-171.
e) Department policy/procedures/guidance will be updated to direct
acquisition/procurement officials and contractors to access SPRS to determine if a
strategic assessment has been conducted.
f) DoD Components should rely on assessment results posted in SPRS in lieu of
including requirements to assess implementation of NIST SP 800-171 on a contract-
by-contract basis.
g) A High NIST SP 800-171 DoD Assessment may result in documentation in addition to
that listed in 6) d) of this document. DoD will retain and protect any such
documentation as For Official Use Only (FOUO) and intended for internal DoD use
only. The information will be protected against unauthorized use and release,
including through the exercise of applicable exemptions under the Freedom of
Information Act (e.g., Exemption 4 covers trade secrets and commercial or financial
information obtained from a contractor that is privileged or confidential).
7) Glossary of Terms
a) Enduring exception. Remediation is not feasible; no plan of action required; must be
documented within a system security plan.
b) Temporary deficiency. Remediation of deficiency is feasible; known fix is in process;
requires a plan of action. For the purposes of a DoD NIST SP 800-171 DoD
Assessment, a ‘temporary deficiency’ is not based on an ‘in progress’ initial
implementation of the requirement. A temporary deficiency arises after
implementation. A Temporary deficiency may also apply during the initial
implementation of a NIST SP 800-171 requirement if, during roll-out, specific issues
with certain equipment is discovered that has to be separately addressed.
11
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
12
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
13
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
14
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
15
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
16
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
17
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
18
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
19
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
20
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
Additions/edits to Version 1.1 are shown in blue
21